The Data Protection Act 1998 (DPA) is perhaps the single most significant piece of legislation. It concerns the processing, retention, security and accuracy of 'personal data'. It applies equally to electronic data, such as databases and emails, and to paper-based filing systems, even including informal records like post-it notes and personal organisers.
Personal data are defined as any data item or combination of data items from which a person can be identified as an individual, and provides specific information about them, their families or circumstances. This could include expressions of opinion about that person, or someone's intentions towards him or her.
In a school context, personal data will include (for example) names, contact details, gender, dates of birth, behaviour, academic achievements as well as other sensitive information e.g. religious beliefs, physical and mental conditions and racial or ethnic origins.
For the purposes of the DPA, schools are classed as separate legal entities, independent of the County Council. A school is what is known as a 'data controller'. A 'data controller' means someone - usually an organisation, which determines the purposes for which and the manner in which any personal data are being, or are to be processed. In a school it is the head teacher and governors who make decisions for the school. They must register with the ICO as a data controller each year. This involves specifying which personal information is collected and held, and with whom it is shared. You can check your registration here. You can search only on your postcode.
The Act works in two ways; it gives individuals certain rights in relation to the personal data the school holds about them (including the "subject access request"), and it sets out rules which the school must follow when processing personal information. These rules are known as the data protection principles. There are also exceptions to both rights and rules. However, the DPA does not provide specific technical guidance on, for example, IT security. The steps you take should be proportionate to the risks associated with the information held.
Data protection legislation is what is known as absolute law. In other words, if the school were to be prosecuted for contravening the terms of the Data Protection Act, it could not use ignorance of the law as a defence. In addition the Information Commissioner can impose a fine of up to £500,000 for a serious breach of the Act.
ICO data protection advice for schools
The ICO released a report in September 2012 aiming to help schools to handle personal information in line with the law. This was based on work with around 400 schools, so the areas covered are common to most schools.
The key points are:
- Notification - make sure you notify the ICO accurately on an annual basis of the purposes for your processing of personal data.
- Personal data - recognise the need to handle personal information in line with the eight data protection principles.
- Fair processing - let pupils and staff know what you do with the personal information you record about them (see model privacy notice). Make sure you restrict access to personal information to those who need it.
- Security - keep confidential information secure when storing it, using it and sharing it with others.
- Disposal - when disposing of records and equipment, make sure personal information cannot be retrieved from them.
- Policies - have clear, practical policies and procedures on information governance for staff and governors to follow, and monitor their operation.
- Subject access requests - recognise, log and monitor subject access requests.
- Data sharing - be sure you are allowed to share information with others and make sure it is kept secure when shared.
- Websites - control access to any restricted area. Make sure you are allowed to publish any personal information (including images) on your website.
- CCTV - inform people what it is used for and review retention periods.
- Photographs - if your school takes photos for publication, mention your intentions in your fair processing/privacy notice.
- Processing by others - recognise when others are processing personal information for you and make sure they do it securely.
- Training - train staff and governors in the basics of information governance; recognise where the law and good practice need to be considered; and know where to turn for further advice.
- Freedom of information - after consultation, notify staff of the personal information you would provide about them when answering FOI requests. FOI responses should not breach the DPA by disclosing inappropriate personal data.
Good records management processes help you to comply with data protection requirements - specific advice on records management can be found here.
Sources of useful information
In addition to those provided above, the links below offer further guidance
ICO subject access code of practice [new window] - how to respond to requests for information about school records
ICO specialist guides for the general public:
- Accessing pupils' information [new window]
- Fingerprinting in schools
- Exam results
- Taking photos in schools
- Accessing official information
Department for Education - DfE advice on Protection of Biometric information of children in schools
Flowchart setting out action to be taken following a subject access request